I was going to ask about this: Apereo/Unicon, do you have a policy on what/when
“breaking” changes are allowed between different versions?
E.g. https://semver.org/
In addition to the registry location property change, I think we were also bit
by a change from JSON to HJSON somewhere back there
On Jan 11, 2018, at 11:52 PM, Fabio Martelli
mailto:fabio.marte...@gmail.com>> wrote:
Il 11/01/2018 19:49, Ray Bon ha scritto:
Fabio,
The threshold throttle is a rate. In your example it works out to 1 failed
attempt in 100 seconds. Any user will try a second time within that 100
seconds. Set
Since SAML is almost entirely browser-mediated, try using the SAML Decoder
plugin for Firefox to view the payload.
Tom.
> On Dec 20, 2017, at 9:50 AM, Mike Sullivan wrote:
>
>
> I am trying to troubleshoot an authentication issue with a vendor and need to
> log or look at the SAML response t
This is why the most common profile for SAMLResponse is POST. That, or use SAML
Attribute Query (uncommon with SAML 2.0).
Tom.
> On Nov 14, 2017, at 8:59 AM, Fabio Martelli wrote:
>
> Hi All, I have some trouble with SAML Authentication through mod_proxy_http.
>
> It seems that there is a str
> On Oct 25, 2017, at 8:42 AM, Duane Booher wrote:
>
> For CAS 5.0 /cas/status access, the only way I can get access is with a
> single ip, such as cas.adminPagesSecurity.ip=127.0.0.1
>
> My question, is there any additional pattern matching capabilities and/or a
> list of ip addresses? In CA
Morning,
Are there any (somewhat) supported CAS clients for Apache httpd (2.2) on
Windows?
A security update to Apache httpd 2.4 for CVE-2016-8743 broke some of our
legacy Windows CAS clients, specifically those with old versions of
mod_auth_cas running on Windows with httpd 2.2. Service-valid
> On Jul 10, 2017, at 1:02 PM, Tim McLaughlin wrote:
>
> I'm checking this out now. I'm on 5.0.3 so I'll rebuild with 5.0.7 and see
> if we still see the issue...
>
> I've added:
> cas.authn.ldap[0].poolPassivator=CLOSE
Does this break connection pooling by presumably closing a connection w
> On Jun 30, 2017, at 12:32 PM, Uxío Prego wrote:
>
> According http://www.ietf.org/rfc/rfc2376.txt via
> https://stackoverflow.com/a/2965701/1737973 probably either 'text/xml' or
> 'application/xml'. Does transmitting 'text/html' cause a problem?
Not sure. We have several hundred CAS clients; s
Ping.
We found where to set in the code. Question is: what should the response type
be?
Tom.
> On Jun 27, 2017, at 2:26 PM, Tom Poage wrote:
>
> We're staging CAS 5.1 and noticed the serviceValidate end point is returning
> Content-Type: text/html.
>
> Our C
We're staging CAS 5.1 and noticed the serviceValidate end point is returning
Content-Type: text/html.
Our CAS 4.2 instance returns application/xml from serviceValidate.
I don't see Content-Type in the protocol specification other than saying the
response is XML-formatted.
What type should the
My experience with memberOf and certain LDAP implementations, is that it can be
considered an operational attribute, so must be explicitly listed as a
requested attribute. This might be cas.authn.attributeRepository.attributes
https://apereo.github.io/cas/5.0.x/installation/Configuration-Propert
> On Mar 3, 2017, at 7:42 AM, Tom Poage wrote:
...
> A user not paying attention may (and does) walk away from their browser, and
> it goes on and on. I've recorded one session that looped over 14,000 times
> before stopping.
Strike that, it was over 121,000 times (was
ow many times one re-logs into the same service,
separating that from outright looping.
Thanks.
Tom.
> On Feb 27, 2017, at 5:38 PM, Tom Poage wrote:
>
> CAS 4.2.6
>
> Think I'm missing something. Want to collect ST usage by user session from
> CAS (audit) logs and cannot
On Feb 28, 2017, at 8:41 AM, Bryan Wooten
mailto:ttbaja...@gmail.com>> wrote:
...
To honest our numbers are high because we have a really aggressive Solarwinds
monitoring system. It is does end to end “synthetic transactions” from up to 50
locations on campus and on AWS. The monitoring hits 10
Bryan,
Curious, what is your session lifetime?
Ours is (a legacy) 12 hours. We have roughly 73k core affiliate (faculty,
staff, student, ...) accounts, so people generally login only once a day or so.
24 Feb:
AUTHENTICATION_SUCCESS: 91116
SERVICE_TICKET_VALIDATED: 161060
Cf.
for h in casweb{
ool config/validation.
Tom.
> On Feb 24, 2017, at 3:59 PM, Tom Poage wrote:
>
> This issue looks to have just bit us with 4.2.x, as well.
>
> A network configuration error led to losing two of our four CAS servers at a
> busy time of day. Some fraction of the users needed to
CAS 4.2.6
Think I'm missing something. Want to collect ST usage by user session from CAS
(audit) logs and cannot find how to (w/o coding) inject username into the TGT
creation log, cf.
2017-02-27 00:00:09,169 INFO
[org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Mon Feb 27
0
> On Feb 27, 2017, at 2:14 AM, Jérôme Nenert wrote:
>
> Turning off DefaultTicketRegistryCleaner (
> cas.ticket.registry.cleaner.enabled=false ) led to an increase in system load.
Interesting. I would have expected the opposite, assuming
DefaultTicketRegistryCleaner in CAS 5 is still sep
This issue looks to have just bit us with 4.2.x, as well.
A network configuration error led to losing two of our four CAS servers at a
busy time of day. Some fraction of the users needed to re-login, so there was a
natural increase in LDAP pool connections. Every time the validator ran, each
co
Hazelcast cleans its own tickets, so the DefaultRegistryCleaner is unnecessary,
and actually competes with Hazelcast for access to the cache (we found out the
hard way when system load went through the roof at scale).
To disable the DefaultRegistryCleaner (cas.properties):
CAS 4.2.x (maybe othe
> On Jan 10, 2017, at 8:30 AM, Daniel Rakaric wrote:
>
> Hi,
>
> Recently our institution has been trying to implement a new load balancer. We
> have tried this out in our pre-prod environment and test out to see how our
> applications behave with this new implementation.
>
> So far, not a s
down side of removing the AJP timeout might be
a risk of a rare connection “hang” with no response (long timeout; not that
we’ve seen it other than what’s described here).
Tom.
On Nov 8, 2016, at 12:15 PM, Tom Poage
mailto:tfpo...@ucdavis.edu>> wrote:
Running CAS 4.2.6 on Linux (Oracle/
Running CAS 4.2.6 on Linux (Oracle/RedHat Linux 7, VM, one “CPU") w/
LDAP(tive) AuthN, Oracle Java 8, Tomcat 8(.0.33) fronted by Apache httpd 2.4
via AJP.
The AJP connector is (somewhat arbitrarily) set to a 20-second response timeout.
Seeing occasional 500 errors returned on POST, with corres
We currently run 4.2.6 with ldaptive:bind-search-authenticator Spring extension
wired into deployerConfigContext.xml.
With this configuration, the ldaptive connection pool search validator by
default queries the RootDSE (baseDn=“”). It looks like the validator search
base DN cannot be configure
And this tested out just fine with a short load test: several iterations of
request login page from server A, POST to server B, validate on server C, for
various values of A, B and C.
Tom.
On Oct 24, 2016, at 11:41 AM, Misagh Moayyed
mailto:mmoay...@unicon.net>> wrote:
Yes and yes. Test bef
Don’t recall seeing cache-control in CAS itself (doesn’t mean it’s not there).
We've been doing the following in httpd:
ExpiresActive On
ExpiresByType text/css "access plus 1 hour"
ExpiresByType image/gif "access plus 1 hour"
ExpiresByType image/jpeg "access plus 1
With deprecation/removal of the login ticket ("lt") from the CAS login page
(around 4.2.6 or so), it seems login is now "stateless", in that one can now
submit the login form to a different cluster server than which generated the
login page.
Before we ask to change (remove) our load balancer TL
> On Oct 15, 2016, at 11:23 AM, Tom Poage wrote:
>
> This email I sent looks like it got stuck in Google yesterday for nearly
> 2-1/2 hours before delivery (cf. Received lines in mail header). List
> maintainers: Two followup emails I sent yesterday mid-day on this topic st
Disabling the registry cleaner brought load average on our (4) servers down to
0.01-0.20 (from 4.0-15.0).
cas.properties:
ticket.registry.cleaner.startdelay=-1
(value could have been zero, but -1 seemed more mnemonic of the intent)
Tom.
On Oct 14, 2016, at 1:28 PM, Tom Poage
mailto:tfpo
than or
equal to zero.
Tom.
* https://github.com/apereo/cas/commit/c1cbde11c5722e1930357d3dc3bdb6d4cffa8214
From: Misagh Moayyed
Date: Friday, October 14, 2016 at 10:43 AM
To: Tom Poage , CAS Community
Subject: Re: [cas-user] Server load w/ 4.2.6
You can exclude the hazelcast dependency from
; Is it oossible to downgrade Hazelcast version (say, to 3.6) on CAS 4.2.6,
> i.e. were any new Hazelcast version-specific changes made between roughly
> 4.2.[12] and 4.2.6?
>
> Thanks.
> Tom.
>
> > On Oct 13, 2016, at 2:18 PM, Tom Poage >
> wrote:
> >
>
4.2.6, i.e.
were any new Hazelcast version-specific changes made between roughly 4.2.[12]
and 4.2.6?
Thanks.
Tom.
> On Oct 13, 2016, at 2:18 PM, Tom Poage wrote:
>
> Afternoon,
>
> On moving from 4.2.1 to 4.2.6, our apparent system load increased
> dramatically.
>
> R
Afternoon,
On moving from 4.2.1 to 4.2.6, our apparent system load increased dramatically.
Run queue went from as high as 4 to nearly 30, with (Linux) load average
jumping from a max of 0.2 to about 15 for a user base (TGT count) of 46k.
A code diff doesn’t seem to show much, except perhaps for
Morning,
Attempting to run shib-cas-authn3 in IdP 3.2.1 with Jetty 9.3.5 and Java
1.8.0_91 (we're running separate IdP and CAS until we work out some details on
the integrated Shib+CAS).
The shib-cas-authn3 README mentions editing web.xml is optional, as the servlet
self-registers in a Servlet
Knock on wood: no additional Hazelcast errors after increasing the
heartbeat timeout to something more than the heartbeat interval. ;-)
Tom.
On 06/02/2016 09:33 AM, Travis Schmidt wrote:
> Looked a little further into this. The Hazelcast documentation says the
> heartbeat interval is 1 second, l
So it seems the default heartbeat timeout in Hazelcast is 5 minutes, but the
default heartbeat timeout in CAS is 5 seconds.
Purposeful (rationale?), or a scaling error?
Thanks!
Tom.
> On Jun 2, 2016, at 8:12 AM, Tom Poage wrote:
>
> Morning,
>
> We started running 4.2
Morning,
We started running 4.2.1 w/ Hazelcast (hz.cluster.tcpip.enabled=true) on Linux
VMs (RedHat variant) a couple of weeks ago with three nodes on the same subnet.
Things seemed fine initially, but a couple of days ago started getting cluster
errors starting with heartbeat timeout, several
Could swear I tried this, but trying it again worked:
Username: FrEd
serviceValidate:
http://www.yale.edu/tp/cas";>
fred
> On May 19, 2016, at 1:44 PM, Tom Poage wrote:
>
> Afternoon,
>
> CAS
Afternoon,
CAS 4.2.1
I'm having a little difficulty figuring out how to resolve a normalized
principal from an LDAP directory. E.g. user enters 'Fred' as the username and
I'd like to return the principal 'fred' from the uid attribute (as stored in
the directory).
If I use the (largely default
Afternoon,
Puzzling over documentation on hard timeouts:
https://jasig.github.io/cas/4.2.x/installation/Configuring-Ticket-Expiration-Policy.html
Says for HardTimeoutExpirationPolicy to configure:
with:
> # tgt.timeout.hard.maxTimeToLiveInSeconds
But the only use of this property is in:
ti
) = 0.00465504762 * #TGTs + 0.0047840476 * #STs + 0.0025
The intercept value is somewhat less than its standard deviation, so the
line may as well go through zero.
Tom.
On 04/15/2016 07:51 AM, Tom Poage wrote:
> Morning,
>
> Before we launch into this, has anyone estimated memory require
Morning,
Before we launch into this, has anyone estimated memory requirements for
Hazelcast (community) by number of users and usage patterns of their
population? We're prepping 4.2 for deployment, and switching from Ehcache to
Hazelcast.
E.g. our current TGT time-to-live is 12 hours. Over the
Another option with the httpd/Tomcat configuration is to use AJP.
server.xml:
httpd config (TLS-protected virtual host):
ProxyPass /cas/ ajp://localhost:8009/cas/
Depending on the amount of traffic, some tuning may be necessary wrt number of
httpd servers/threads and Tomcat connector thr
Perfect. Thank you!
Tom.
> On Jan 27, 2016, at 9:24 AM, Dmitriy Kopylenko wrote:
>
> Once the services are loaded into memory from the existing resource (file,
> URI), the responsibility for “watching” this resource lies in the separate
> component (a Spring managed bean bound to a periodic s
Morning,
https://github.com/Unicon/cas-addons/wiki/Configuring-JSON-Service-Registry
> Note: Since version 1.9, the value of the config-file attribute does not have
> to be file
> but rather, could be an external URL publicly available.
What is the behavior when watching a URL here (running ser
CAS 4.2.0 RC1:
Which is the preferred way now to configure the AuthenticationHandler
stack for 4.2 and beyond?
This one looks to be wired into AbstractAuthenticationManager.
>
> value-ref="proxyPrincipalResolver" />
> value-ref="primaryPrincipalResolver" />
>
setting
c:resolver-ref="dnResolver"
> c:handler-ref="authHandler" />
etc.
Thanks.
Tom.
On 01/20/2016 04:26 PM, Tom Poage wrote:
> I'm working out LDAP direct bind with 4.2.0 RC1.
>
> Relying on mostly default ldaptive configuratio
I'm working out LDAP direct bind with 4.2.0 RC1.
Relying on mostly default ldaptive configuration, the following works
when I directly wire in the bind DN format arguments:
Try as I might, I can't seem to come up with the magic escaping
incantation on the format (searchFilter) to make the docum
Let's say I can administratively obtain the TGT, encrypt it as in CAS 4.x, and
send that as a cookie to the /cas/logout path. Regardless of what's cached in a
client's browser elsewhere, would this invalidate the TGT? Seems it might. Then
if the client revisits /cas/login, they'd forced to log i
> On Jan 14, 2016, at 8:13 AM, Misagh Moayyed wrote:
> [>] They do. See https://github.com/Jasig/cas/milestones
> CAS 4.2 RC1 has been out for a couple of weeks now. The GA release timeline
> will depend on community feedback and progress of tests.
>
> In short, monthly patch cycles. 3-month mi
> On Jan 13, 2016, at 10:43 PM, Misagh Moayyed wrote:
>
>> In general, how might one administratively kill a CAS session in CAS 4.x?
>
> [>] Only possible in 4.2 and beyond. You log into the SSO Sessions
> dashboard, find the session you want and you kill it with a click of a
> button.
Under
On 01/13/2016 01:15 PM, Tom Poage wrote:
> "casuser") the cache key and value are the same (the TGT value). What
> I'd really like to do is find a TGT cache (session) entry by principal
> in case we have a breach and need to kill the session.
Perhaps this can be d
What seems to have worked wrt observing the ticket map was to extract
hazelcast-ticket-registry.xml copy to
src/main/resources/META-INF/spring, and modify the
com.hazelcast.config.Config bean to include:
>
>
>
>
> On Jan 13, 2016, at 8:05 AM, Tom Poage wrote:
>
> Morning,
>
> Anyone manage to get the Hazelcast management console enabled on CAS 4.1
> (maven overlay)?
Progress:
> [STDERR] Jan 13, 2016 8:49:49 AM
> com.hazelcast.internal.management.ManagementCente
Morning,
Anyone manage to get the Hazelcast management console enabled on CAS 4.1 (maven
overlay)?
I'm trying to decide whether to grab a copy of hazelcast.xml and modify to
enable the management center vs. use Spring configuration. I can't see offhand
that enabling the management interface in
That's good to know. If I recall correctly, prior sample configurations of CAS
3.x--at least with Ehcache--had TGTs configured to replicate asynchronously and
STs synchronously (interpreted as non-real time and real time, respectively).
So if I understand correctly, *both* TGT and ST cache entri
>> On Dec 13, 2015, at 8:46 AM, Misagh Moayyed wrote:
>>
>>> Q: Our TGTs are not replicated synchronously (every 10s), the STs are. I
>>> assume an ST entry on a CAS server contains the user principal, or we
>>> would
>>> have seen principal resolution problems much, much earlier. Correct?
>>
>
> On Dec 16, 2015, at 12:46 PM, Tom Poage wrote:
>
> Poking around list archives and the github.io docs, I don't immediately see a
> recommended or minimum version of maven to use for the overlay build.
And I looked right past it and didn't see: Maven version 3+.
Some followup:
> On Dec 13, 2015, at 8:46 AM, Misagh Moayyed wrote:
>
>> -Original Message-
>> From: cas-user@apereo.org [mailto:cas-user@apereo.org] On Behalf Of Tom
>> Poage
>> Sent: Friday, December 11, 2015 10:48 AM
>> To: CAS Community
>>
Hello,
Poking around list archives and the github.io docs, I don't immediately see a
recommended or minimum version of maven to use for the overlay build.
Our new development platform is based on RedHat 7 (Oracle Linux 7). The maven
version available here is currently 3.0.5. Yes, I could simply
This has been happening intermittently for some time (and I'm aware of earlier
threads on the topic):
Every so often a user with a valid TGT visits a site and it triggers a loop
between our CAS servers (3.5.2) and a one of a seemingly random selection of
CAS clients. If the user lets the browse
61 matches
Mail list logo